MALICIOUS ATTACKS
Store, no checks are perfect. We still see news about malicious apps making their way into the public arena in the Google Play Store several times a year.
With communications allowed between extensions, it’s also theoretically possible for an adversary with two or more exten- sions installed on a user’s browser to covertly pass information or perform different parts of an attack on the system. Then, there’s the problem of very carefully-hidden Trojan extensions and the ability to hijack and implant code into a trusted developer’s de- velopment system. These are all potential ways in for persistent and sophisticated attackers.
This is not to pick on Chrome—other browsers absolutely hold malicious extensions. Firefox still allows add-ons (their ex- tensions) to be hosted external to their store, which eliminates a central point for management. Its publishing process is also less than rigorous, and seems to focus only on code correctness. And while Safari does review extensions before including them in the App Store, we still hear of malicious apps appearing there from time to time.
investigation. However, if a tool the analyst uses has the ability to spot malicious activity, then the hard work of identifying the bad extension can be done by one researcher and reused by many.
The Challenge in Responding
to Malicious Extensions
While finding a malicious extension is a major challenge, it’s still only the first step. The ability to contextualize the behavior associated with the session with respect to the device and its peers is where the baggage of current-version technologies slows analysts down.
Once a malicious extension is detected, analysts will quickly want to know what to do to stop the bleeding. Are any external communications related to this? Is any information being exfil- trated? What kinds of attacks are occurring internally? Is any piv- oting/lateral movement behavior happening with stolen creden- tials, possibly accessing more sensitive data? They’ll also quickly want to know who else is affected—spanning both devices, and users—when they were infected, which browsers and versions are impacted, whether the decision to install the extension was com- pletely voluntary and more.
Each of the above steps can take tens of minutes to hours— and in some cases, they are impossible given time constraints and resources. The overall security maturity of the organization, and whether or not the security development team has created home- grown solutions to unify typically disparate pieces of information and infrastructure, will determine how effectively this workflow can be handled.
Today, overburdened analysts will typically only do this type of thorough investigation if there’s enough certainty that this is a truly serious incident—there are simply not enough human re- sources, nor the right incentives in the SOC, to do this deep level of work for naught. Moreover, the problem is exacerbated since existing security technologies provide little to no context—leav- ing it to the analyst to figure things out.
At Awake Security, we call this problem the Investigation Gap. After prevention methods fail, potential threats are detected and security alerts are generated, the time-consuming and manual heavy-lifting of an investigation falls to the analysts before any remediation steps can be taken. If an organization’s security tools miss a potential threat and no alert is generated, it falls on the analysts to find time to threat hunt and identify malicious activity on their own—a task that’s nearly impossible in most SOCs given their existing alert investigation workload.
The recent Chrome news put a spotlight on malicious browser extensions that underscores the risk incurred when trust is given to third parties. Often that trust is not well understood when given, and quickly forgotten. However, it also points to a deeper underlying issue for analysts working to identify malicious exten- sions and mitigate their harmful effects.
It’s critical that we find new ways to give analysts deep visibil- ity into the network and streamline their time spent getting from questions to answers during their investigations. Only then will we start gaining ground on this type of challenge.
David Pearson is the principal threat researcher at Awake Security. 0918 | NETWORKING SECURITY
Identifying Malicious Extensions
For security analysts, identifying malicious extensions is no easy task. They aren’t going to show up in places analysts typically monitor such as CMDBs or logs. The only way to find them is on the network. If analysts are looking for something that the ex- tension happens to do—such as leaking passwords in an obvious way or matching a network signature or indicator of compromise for malicious activity—it’s possible that their security tools will generate alerts pointing them to the related traffic that occurs af- ter the fact.
If the tool an analyst is using has the ability to parse HTTP headers in a meaningful way, they may also be able to find mali- cious extensions by identifying these behaviors while looking for the Chrome-Extension value within the header. With more flex- ible query language offered by cutting-edge tools, it’s easy to be- come more or less specific with respect to what you’re looking for within HTTP, whether it be the headers or some other location.
In short, the original discovery of the malicious extension infor- mation and ways it is stored would likely be by chance or by deep
NS14
Profit_Imaget/Shutterstock.com